Citrix remote code execution vulnerability was published last month, the vulnerability can be tracked as CVE-2019-19781.
It may create a serious threat for organizations deployed with Citrix Application Delivery Controller and gateway.
An advisory was released by Citrix detailing the configuration changes to mitigate the vulnerability. The following are the affected versions.
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix believed to be used in more than 80,000 companies around the globe, the vulnerability could pose a serious threat for organizations.
Attackers Scan For Vulnerability
A couple of days before researchers observed that attackers started scanning for the vulnerability, the scans include simple to dangerous requests.
Citrix Remote Code Execution – PoC Published
A Security researchers group with handle projectzeroindia published the first working exploit code for the vulnerability.
Following that TrustedSec published the exploit code, TrustedSec said that they have the tool developed earlier but they opted to have private, as other researchers published code, they too released.
MDSsec released a video demonstration explaining how the vulnerability can be exploited, but the code was not published.
Shodan has added detection for the Citrix vulnerability (CVE-2019-19781).
After the PoC code published a huge spike detected on honeypots, attackers started using public exploits to install backdoors.